Case Study: Transitioning to using

Active Directory Federation Services with SharePoint 2010

Joe KaramPrinceton University

Office of Information TechnologySharePoint Saturday New Jersey 2014

New Jersey SharePoint user group

• Different SharePoint discussions each month on various topics. Announced on meetup.com• Meets 4th Tuesday of every

month• 6pm – 8pm• Microsoft Office (MetroPark)• 101 Wood Ave, Iselin, NJ 08830• http://www.njspug.com

Thank You Event Sponsors

• Diamond & Platinum sponsors have tables here in the Fireside Lounge

• Please visit them and inquire about their products & services

• Also to be eligible for prizes make sure to get your bingo card stamped

Agenda

• introduction to SharePoint & ADFS @Princeton• advantages and concerns with transitioning to ADFS• configuration considerations with ADFS and SharePoint 2010• issues with migrating data between NTLM and ADFS SharePoint

environments• issues with using ADFS and AD Groups• cookie options with ADFS and impact on Office applications• troubleshooting issues with ADFS and user profile services• summary

Princeton SharePoint Implementation• Using SharePoint 2007 since 2008 • Currently migrating to SharePoint 2010 (over 80% complete)• Mostly used for internal department collaborations• Very little student use • Approximately 110 department sites• Approximately 750GB farm size• Some customized sites• Decentralized administration

What is Active Directory Federation Service (ADFS)?• Provides single sign-on to authenticate users to multiple web

applications in a single session using token claims.

• Allows organizations to provide access to trusted users from different domains.

• Domain users and groups are encoded to claim identities • READ: How claims encoding works in SharePoint 2010

Why did Princeton choose ADFS for SP 2010?• Consistent authentication experience for a variety of clients using

SharePoint 2010 from on-campus to all over the world

• Improve security for authentication with SharePoint

• Planning for the future migrating to Office 365 and using with other SSO applications.

• Microsoft “encouragement” to use claims based authentication and providing limited support for classic authentication

Princeton SharePoint 2010 Environment• Two virtual ADFS servers• Three virtual SharePoint 2010 front-end servers• Two virtual SharePoint 2010 application servers• SQL Cluster backend with SAN storage• F5 Load Balancer• Firewall• AvePoint DocAve management

Is it an F5 issue? An ADFS issue? A SharePoint issue?• Our first experience with ADFS, SharePoint 2010, and F5

• Microsoft technical support going back and forth between ADFS and SharePoint teams for troubleshooting

• Finding a trusted expert to assist us with integrating these services

ADFS Configuration Recommendations• Many useful resources are available• Primarily used Steve Peschka’s guide for configuring ADFS & SharePoint farm• Official Microsoft documentation

• Expiration time of token signing certificate between ADFS and SharePoint (x509 certificate)• Determine ADFS session cookie timeout to work properly with

SharePoint cookie timeout• Learn how the ForeFront Identity Manager interacts with the User

Profile Sync Service in SharePoint 2010

ADFS ClaimsViewer Example

Migrating data between ADFS (SP 2010) and NTLM (SP 2007)• Microsoft AD Claims mapping scripts & tools• Third Party Tools – AvePoint DocAve• Mapping users and groups properly• DOMAIN\USER to i:0ǵ.t|adfs 2.0|USER• DOMAIN\GROUP to c:0-.t|adfs 2.0|GROUP• Ensure AD Groups are listed as “Domain Group”

General Concerns #1

• Search Service Application requires an NTLM web application, but make sure you do not put search site in the Intranet zone. Use extranet, internet, or custom. Outlook uses intranet zone first as default when connecting to SharePoint.• Set session cookies to false (default) to ensure Office applications do

not need to re-authenticate (use persistent cookies)• Investigate whether F5 should use source IP address or cookie based

persistent type • Test Explorer View and Access DataSheet views to ensure they work

properly (hotfix for Access)

General Concerns #2• Built-in People Picker does not work effectively with ADFS. Build custom

people picker or try open source people picker.• InfoPath is not fully supported with ADFS• Incoming email requires changes to properly map users with trusted

identity provider• Test email-enabled AD Groups to ensure alerts work properly• “Sign In as Different User” does not work unless closing browser, run-as,

or in-private browsing?• Test Macintosh Microsoft Document Connection • Meeting Attendee lists require full email address

Summary

• Test, Test, Test – all clients, internal networks, internet, all critical functions• Monitor end-to-end validating ADFS and SharePoint are

authenticating users properly• SharePoint 2013 does resolve many issues (especially with cookies)• Just found: A good summary experience from Red Cross

Next Steps?

• Upgrading to SharePoint 2013 and Office 365

• Continue the discussion:• jkaram@Princeton.edu• LinkedIn (jkaram)• Yammer (jkaram)• Twitter (@jkaram)

Appendix: Incoming email Commands• Need to have latest CU installed for SP 2010• Can run either:

$w = Get-SPWebApplication $w.Properties["disable-active-directory-resolve"] = "true" $w.Properties["enable-trusted-resolve"] = "true" $w.Update()

OR$farm = Get-SPFarm$farm.Properties["disable-active-directory-resolve"] = "true"$farm.Properties["enable-trusted-resolve"] = "true"$farm.Update()

Useful Security Powershell Commands• Get-SPTrustedIdentityTokenIssuer• Get-SPTrustedServiceTokenIssuer• Get-SPClaimProvider• Adding a new relying party trust to existing provider